Target Seeks New CIO

Target is looking for a new chief information officer following the resignation of CIO and executive VP of technology services Beth Jacob on Wednesday.

As the company's top technology executive, Jacob had responsibility for Target's computer systems and network, which succumbed to hackers late last year, enabling a massive data breach.

The breach began on Nov. 27, was confirmed on Dec. 15, and ended on Dec. 18. The company initially said 40 million credit and debit card accounts were affected, but its investigation subsequently revealed that a separate set of data, stored elsewhere and covering 70 million accounts, also had been stolen.

One of the largest retail data thefts ever, the incident contributed to a 40% decline in the profit reported by the company last month.

Jacob started with Target in 1984 as an assistant buyer. She left in 2002 then returned to the company in 2006. She was appointed CIO in 2008.

In an emailed statement, Gregg Steinhafel, chairman, president and CEO of Target, confirmed that the company is seeking a new CIO. "While we are still in the process of an ongoing investigation, we recognize that the information security environment is evolving rapidly," he said. "To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target. As a first step in this effort, Target will be conducting an external search for an interim CIO who can help guide Target through this transformation."

Steinhafel said Target will be "elevating the role of the chief information security officer" and filling the position externally. He also said the company plans to look for a chief compliance officer outside the company. In addition, he said Target is working with Promontory Financial Group to assess its systems, infrastructure, business processes, and talent.

The new chief compliance officer position has been created in conjunction with a retirement: Target's current VP of assurance risk and compliance, Ann Scovil, previously planned to retire at the end of March, according to a company spokeswoman. As part of its effort to rebuild its information security infrastructure and processes, Target has decided to divide responsibility for assurance risk and compliance.

Beyond changes in personnel and processes, Target last month said it plans to invest $100 million to issue smart chip credit and debit cards and to equip its stores with the hardware to handle the technology.

Pen testing helps companies become more secure by finding and analyzing their insecurities, but pen test services can be fraught with their own kind of risk. In this Dark Reading report, Choosing, Managing And Evaluating A Penetration Testing Service, we recommend what to look for in a provider and its wares, how to get what you pay for, and how to ensure that pen testing itself doesn't open the company or its employees up to new risk. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

By most every measure, Target CIO Beth Jacob has had an impressive career. If anyone understood Target's business and its customers, she did. And her advancement through the organization suggests she understood how to manage big issues in a fast moving environment, which is what retailers must do every week.

Whether she was up to the task of managing Target's Technology Services, or simply had to take the sword in what is proving to be a very costly hacking, only Target's insiders will know.

Her departure raises two questions. Are enterprises better served when a business (customer) champion is in charge of IT, so long as the IT team has the requisite talent, versus someone who came up through the tech ranks? (My sense is, with the right management skills, the answer is sure, why not?) The other question is, what are other CEOs across the nation doing to elevate IT security in their firms in the aftermath of the Target breach?

Target's CEO Gregg Steihafel certainly found out the hard way how costly it can be not being prepared for today's rapidly evolving cyber threats.

Bup to eth Jacob is by all accounts a very impressive woman. She has a bachelor's degree in retail merchandising and an MBA, and has risen steadily at a major retailer to become Executive Vice President and CIO at a young age. Sounds like a perfect job, right? Except when you consider that the company where she's spent most of her career just experienced a breach of 40 million credit and debit cards during the holiday season. - See more at: http://www.enterprisingcio.com/368/will-cio-become-target#sthash.kGOX0ORO.dpuf

I think that's the case. Silicon Valley vendors are fond of saying that every company in the world will soon be a technology company. It's a good sales slogan when you're the one selling tech products and services-- but for any company the size of Target, it's also true.

I am surprised a company as large as Target did not have a chief security officer. A CIO doesn't need to have hands-on experience with technology; they should know how an organization can use technology to differentiate the business. But a CSO or CISO must be well-versed in security technologies and understand how various solutions can safeguard employees, customers, and partners without impacting the experience.

Good point - we should have a know-how person in the enterprise, who has hands-on experience about security related technologies and the understanding about corportate security. CIO should not be the one who takes full security ownership.

Very hard to apportion blame from the outside. I'd be curous what an objective security expert, if there is such a thing, would say. The shops of some of the best people are broken into. But this decision to replace her will be noted by every CIO in the country and security will be tightened in many places,

From this perspective, CIO is becoming a kind of job with higher and higher risk. You need to not only make the decision for IT infrastructure, but also take care of the operation and prevent any kind of security breach. If an accident happened, unfortunately you may risk your career.:-(

If she fought for better security and was shot down, then it seems unfair. If security was low on her radar, then she was part of the problem that allowed hackers to break into the company and damage its sales and image. As a CIO, you play a bigger and bigger role in a company's image these days. Tech is a large part (both before and behind the scenes). Think websites, etail, apps, and partnerships with third-party apps like Shopkick, and it's clear how important tech is to actual transactions plus marketing and engagement. That's one reason CIOs must push hard for smart security spending. Even if boards don't agree, at least CIOs are on record if the unimaginable happens.